Hardness of Computing Individual Bits for One-Way Functions on Elliptic Curves

  • Alexandre Duc
  • Dimitar Jetchev
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)


We prove that if one can predict any of the bits of the input to an elliptic curve based one-way function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairing-based one-way function with non-negligible advantage over a random guess then one can efficiently invert this function and thus, solve the Fixed Argument Pairing Inversion problem (FAPI-1/FAPI-2). The latter has implications on the security of various pairing-based schemes such as the identity-based encryption scheme of Boneh–Franklin, Hess’ identity-based signature scheme, as well as Joux’s three-party one-round key agreement protocol. Moreover, if one can solve FAPI-1 and FAPI-2 in polynomial time then one can solve the Computational Diffie–Hellman problem (CDH) in polynomial time.

Our result implies that all the bits of the functions defined above are hard-to-compute assuming these functions are one-way. The argument is based on a list-decoding technique via discrete Fourier transforms due to Akavia–Goldwasser–Safra as well as an idea due to Boneh–Shparlinski.


One-way function hard-to-compute bits bilinear pairings elliptic curves fixed argument pairing inversion problem Fourier transform list decoding 


  1. 1.
    Akavia, A.: Learning Noisy Characters, Multiplication Codes, and Cryptographic Hardcore Predicates. Ph.D. thesis, Massachusetts Institute of Technology (2008)Google Scholar
  2. 2.
    Akavia, A., Goldwasser, S., Safra, S.: Proving Hard-Core Predicates Using List Decoding. In: FOCS, pp. 146–157. IEEE Computer Society (2003)Google Scholar
  3. 3.
    Alexi, W., Chor, B., Goldreich, O., Schnorr, C.: RSA and Rabin Functions: Certain Parts are as Hard as the Whole. SIAM J. Comput. 17(2), 194–209 (1988)Google Scholar
  4. 4.
    Blum, M., Micali, S.: How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits. SIAM J. Comput. 13(4), 850–864 (1984)Google Scholar
  5. 5.
    Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. In: Kilian (ed.) [25], pp. 213–229Google Scholar
  6. 6.
    Boneh, D., Shparlinski, I.: On the Unpredictability of Bits of the Elliptic Curve Diffie–Hellman Scheme. In: Kilian (ed.) [25], pp. 201–212Google Scholar
  7. 7.
    Boneh, D., Venkatesan, R.: Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Boneh, D., Halevi, S., Howgrave-Graham, N.: The Modular Inversion Hidden Number Problem. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 36–51. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Boneh, D., Venkatesan, R.: Rounding in Lattices and its Cryptographic Applications. In: Saks, M.E. (ed.) SODA, pp. 675–681. ACM/SIAM (1997)Google Scholar
  10. 10.
    Duc, A., Jetchev, D.: Hardness of Computing Individual Bits for One-way Functions on Elliptic Curves (full version). Cryptology ePrint Archive, Report 2011/329 (2011), http://eprint.iacr.org/
  11. 11.
    Galbraith, S., Hess, F., Vercauteren, F.: Aspects of Pairing Inversion. IEEE Transactions on Information Theory 54(12), 5719–5728 (2008)Google Scholar
  12. 12.
    Galbraith, S.D., Hopkins, H.J., Shparlinski, I.E.: Secure Bilinear Diffie-Hellman Bits. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 370–378. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Goldmann, M., Näslund, M., Russell, A.: Complexity Bounds on General Hard-Core PredicatesGoogle Scholar
  14. 14.
    Goldreich, O., Levin, L.: A Hard-Core Predicate for all One-Way Functions. In: STOC, pp. 25–32. ACM (1989)Google Scholar
  15. 15.
    Gonzalez Vasco, M.I., Shparlinski, I.: On the Security of Diffie-Hellman Bits. Electronic Colloquium on Computational Complexity (ECCC) 7(45) (2000)Google Scholar
  16. 16.
    Gonzalez Vasco, M.I., Shparlinski, I.: Security of the most significant bits of the shamir message passing scheme. Math. Comput. 71(237), 333–342 (2002)Google Scholar
  17. 17.
    Håstad, J., Näslund, M.: The Security of Individual RSA Bits. In: FOCS, pp. 510–521 (1998)Google Scholar
  18. 18.
    Håstad, J., Schrift, A., Shamir, A.: The Discrete Logarithm Modulo a Composite Hides \(O(n)\) Bits. J. Comput. Syst. Sci. 47(3), 376–404 (1993)Google Scholar
  19. 19.
    Hess, F.: Efficient Identity Based Signature Schemes Based on Pairings. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 310–324. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Howgrave-Graham, N., Nguyen, P.Q., Shparlinski, I.: Hidden number problem with hidden multipliers, timed-release crypto, and noisy exponentiation. Math. Comput. 72(243), 1473–1485 (2003)Google Scholar
  21. 21.
    Jao, D., Miller, S.D., Venkatesan, R.: Do All Elliptic Curves of the Same Order Have the Same Difficulty of Discrete Log? In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 21–40. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Jetchev, D., Venkatesan, R.: Bits Security of the Elliptic Curve Diffie–Hellman Secret Keys. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 75–92. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Joux, A.: A One Round Protocol for Tripartite Diffie–Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–394. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  24. 24.
    Joux, A.: The Weil and Tate Pairings as Building Blocks for Public Key Cryptosystems. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 20–32. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  25. 25.
    Kilian, J. (ed.): CRYPTO 2001. LNCS, vol. 2139. Springer, Heidelberg (2001)Google Scholar
  26. 26.
    Li, W.-C.W., Näslund, M., Shparlinski, I.E.: Hidden Number Problem with the Trace and Bit Security of XTR and LUC. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 433–448. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  27. 27.
    Morillo, P., Ràfols, C.: The Security of All Bits Using List Decoding. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 15–33. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  28. 28.
    Nguyen, P.Q., Shparlinski, I.: The Insecurity of the Digital Signature Algorithm with Partially Known Nonces. J. Cryptology 15(3), 151–176 (2002)Google Scholar
  29. 29.
    Nguyen, P.Q., Shparlinski, I.: The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces. Des. Codes Cryptography 30(2), 201–217 (2003)Google Scholar
  30. 30.
    Nguyen, P.Q.: The dark side of the hidden number problem: Lattice attacks on DSA. In: Proc. Workshop on Cryptography and Computational Number Theory, pp. 321–330 (2001)Google Scholar
  31. 31.
    Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  32. 32.
    Rabin, M.: Digitalized signatures and public-key functions as intractable as factorization (1979)Google Scholar
  33. 33.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)Google Scholar
  34. 34.
    Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairings. In: Proceedings of SCIS 2000, Okinawa, Japan (2000)Google Scholar
  35. 35.
    Schnorr, C.: Security of Allmost ALL Discrete Log Bits. Electronic Colloquium on Computational Complexity (ECCC) 5(33) (1998)Google Scholar
  36. 36.
    Schrift, A., Shamir, A.: The Discrete Log is Very Discreet. In: STOC, pp. 405–415. ACM (1990)Google Scholar
  37. 37.
    Shparlinski, I.E.: On the Generalised Hidden Number Problem and Bit Security of XTR. In: Bozta, S., Sphparlinski, I. (eds.) AAECC 2001. LNCS, vol. 2227, pp. 268–277. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  38. 38.
    Shparlinski, I.,Winterhof, A.: A hidden number problem in small subgroups. Math. Comput. 74(252), 2073–2080 (2005)Google Scholar
  39. 39.
    Smart, N.P.: Identity-based authenticated key agreement protocol based on weil pairing. Electronics Letters 38(13), 630–632 (2002)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  • Alexandre Duc
    • 1
  • Dimitar Jetchev
    • 2
  1. 1.LASECEPFLLausanneSwitzerland
  2. 2.LACALEPFLLausanneSwitzerland

Personalised recommendations